<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
	"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
    
<?php 
$layout = explode('&&&', file_get_contents('layout.html'));
echo $layout[0];

session_start();
if (!(isset($_SESSION['username'])))
	header("location:login.php");
?>

<html>
<style type="text/css">
<!--
.style1 {color: #FF0000}
-->
</style>
<body>

<!-- Begin Main Column -->

<div id="mainContent">
	
	<h2>Change Password</h2>
    <p></p>
    Note: Required fields denoted with an asterisk(*)
	<form id="form1" method="post" action="">
	  <table width="444" height="96" border="0">
        <tr>
          <td width="159" height="28">* Old Password:</td>
        <td width="275"><label>
            <input type="password" name="old_password" id="old_password" />
        </label></td>
        </tr>
        <tr>
          <td height="29">* New Password:</td>
        <td><label>
            <input type="password" name="new_password" id="new_password" />
        </label></td>
        </tr>
        <tr>
          <td height="31">* Confirm New Password:</td>
      <td><label>
            <input type="password" name="confirm_new_password" id="confirm_new_password" />
      </label></td>
        </tr>
      </table>
      <p>
        <label>
        <input type="submit" name="submit" id="submit" value="Submit" class="button" />
        </label></p>
	</form>
    
    <?php
	 	if($_POST) {
			ob_start();
			$host="localhost"; // Host name
			$username="root"; // Mysql username
			$password=""; // Mysql password
			$db_name="rtl"; // Database name
			$tbl_name="user"; // Table name
			
			// Connect to server and select databse.
			mysql_connect("$host", "$username", "$password")or die("cannot connect");
			mysql_select_db("$db_name")or die("cannot select DB");
			
			$old_password=$_POST['old_password'];
			$new_password=$_POST['new_password'];
			$confirm_new_password=$_POST['confirm_new_password'];
			
			// To protect MySQL injection (more detail about MySQL injection)
			$old_password = stripslashes($old_password);
			$new_password = stripslashes($new_password);
			$confirm_new_password = stripslashes($confirm_new_password);

			$old_password = mysql_real_escape_string($old_password);
			$new_password = mysql_real_escape_string($new_password);
			$confirm_new_password = mysql_real_escape_string($confirm_new_password);
			
			if($old_password != NULL && $new_password != NULL && $confirm_new_password != NULL) {
				$username = $_SESSION['username'];
				$get_database_password = mysql_query("SELECT Passwd FROM $tbl_name WHERE UserID='$username'");
				if (!$get_database_password) {
   					 die('Could not query:' . mysql_error());
				}
				$database_password = mysql_result($get_database_password, 0);
				$old_password = md5($old_password);
				if($old_password == $database_password) {
					if($new_password == $confirm_new_password) {
						$new_password = md5($new_password);
						mysql_query("UPDATE $tbl_name SET Passwd='$new_password'");
						echo "Password successfuly changed.";
					}
					else {
						if($new_password != $confirm_new_password)
							echo "Password must match password confirmation.";
					}
				}
				else {
					echo "Old password does not match database password.";
				}
			}
			else {
				echo "Required fields needed.";
			}
			
			ob_end_flush();
		}
	?>
    
</div>

<!-- Begin Side Column -->
<!-- Begin Footer -->
<?php
echo $layout[1];
?>

</body>
</html>